Following our last article on the Data (Use and Access) Act 2025 (the “DUA Act“), which noted that some updates, including guidance from the Information Commissioner’s Office (the “ICO”) were still to follow, a significant new compliance obligation has now taken effect.
From 19 June 2026, individuals have a new statutory right to make a complaint directly to a data controller where they believe their rights under UK data protection law have been breached. Alongside this, UK data controllers are now required to implement a formal procedure for handling such complaints.
What has changed?
Before this, UK data protection law did not expressly provide data subjects with a statutory right to complain directly to the controller, nor did it impose an obligation on controllers to maintain a dedicated internal complaints process. The ICO already encouraged individuals to approach controllers first before escalating, but this was merely a matter of regulatory practice rather than statutory obligation.
The new right to complain sits alongside the existing right that data subjects have to complain to the ICO, giving individuals two routes when they believe their data protection rights have been breached. The change is intended to encourage concerns to be identified and resolved at an organisational level before regulatory escalation becomes necessary.
What must organisations do?
The DUA Act introduces a number of new obligations on controllers. To assist organisations in understanding their obligations, the ICO published guidance setting out how organisations should prepare.
Organisations must:
- take active steps to make it easy for individuals to submit complaints. The ICO is flexible in how this is achieved and options include providing a complaint form that can be completed electronically or by other means and existing frameworks can be adapted for this purpose;
- update privacy notices and responses to data subject access requests (“DSARs”) to inform individuals of their new right to lodge a complaint with the controller. This is now a legal requirement;
- acknowledge receipt of a complaint within 30 days and then investigate the issue without undue delay. This includes the controller making appropriate enquiries into the subject matter of the complaint and keeping the complainant informed of progress where appropriate; and
- once the investigation is complete, inform the complainant of the outcome and the steps taken to resolve the complaint, including any actions taken as a result.
For many organisations, these requirements may align with existing customer complaints processes. The ICO has confirmed that a separate standalone system is not required, provided existing procedures are capable of identifying and handling data protection complaints appropriately.
The ICO’s guidance also includes a practical checklist for handling complaints and demonstrating compliance with the new obligations. Although the legal requirements may appear relatively straightforward, organisations should take the opportunity to review their wider governance arrangements.
Practical actions that organisations should take include:
- implementing an internal process for how complaints are received and handled in line with the new requirements;
- reviewing and updating privacy notices and DSAR response templates to ensure they inform data subjects of their right to complain directly to the controller in plain language;
- providing training to staff so they can recognise a data protection complaint and escalate it appropriately and consistently; and
- maintaining clear records of complaints, investigations, outcomes and any remedial actions taken in order to demonstrate compliance.
Organisations should also consider that complaints may arrive through less conventional channels. For example, where an individual attempts to make a complaint via social media, controllers must be able to identify this and respond appropriately, ideally moving the conversation to a more secure channel. Complaints from children will also require particular care. Controllers must assess the child’s ability to understand their rights and respond in clear, age-appropriate language.
Looking ahead
The DUA Act has elevated data protection complaint handling from encouraged regulatory practice into a formal statutory obligation. Organisations must ensure their procedures are documented, accessible and capable of demonstrating compliance if examined by the ICO.
This is also unlikely to be the end of the story. The legislation gives the Secretary of State power to introduce further regulations on complaint reporting in future, which could require controllers to proactively provide information to the ICO about the number and handling of complaints received over a certain period.
Although no such regulations have been introduced to date, controllers should ensure that complaint records are maintained in a way that would enable compliance if this changes. If implemented, these measures would add a further layer of accountability and increase the importance of robust complaint monitoring and record keeping, so controllers should be preparing now.
Steps organisations need to take now
The new complaints regime represents one of the first practical compliance changes arising from the DUA Act to take effect. For organisations that do not have a dedicated data protection complaints procedure in place, immediate action is required. Existing policies should also be reviewed against the new statutory requirements.
The new Information Commission (which will replace the ICO under the DUA Act’s wider reforms) is expected to issue further guidance in due course However, given that the new rights are already in force, organisations should act now.
How can we help?
Our experienced Data Protection & Privacy team can assist with reviewing your existing data protection documentation, drafting or updating complaints procedures and policies and advising on compliance with the DUA Act more broadly. Please do not hesitate to get in touch if you have any questions or would like further advice.